Running Gradle Tooling API in sandbox with SecurityManager


I’d like to create a service which let user try Gradle through a web application. The target audience are my colleagues in my company.
The general use case would be that an user submits a build file, it is stored in a temporary directory and the server performs a Gradle build through the tooling API.

When running the server without a security manager, everything works fine.

When setting a security manager - I use Tomcat 8 with the -security flag at the moment - I have to define permissions for Gradle jars:
grant codeBase "file:${gradle.installation.dir}/-" { permission; };

Now I try to restrict permissions to avoid people submitting code that could harm the service. So far I found that Gradle require at least these permissions to start:
grant codeBase "file:${gradle.installation.dir}/-" { permission java.lang.RuntimePermission "createSecurityManager"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission "${catalina.base}/webapps/ROOT/WEB-INF/-", "read"; permission java.util.PropertyPermission "slf4j.detectLoggerNameMismatch", "read"; };

At this point, I face an issue that I cannot solve:
Could not create an instance of Tooling API implementation using the specified Gradle installation
Caused by: java.lang.NullPointerException: null
at org.gradle.util.GradleVersion.(

Apparently Gradle cannot load the org/gradle/ text file bundled in the gradle-core jar.

I wanted to patch to add the following lines:
URL resource = GradleVersion.class.getResource(RESOURCE_NAME); if (resource == null) { // Resource not found, try to load through the context class loader bound to the current thread resource = Thread.currentThread().getContextClassLoader().getResource(RESOURCE_NAME); }

But being behind a proxy, when I run ./gradlew build, all integration tests requiring access to jcenter fail.

I have a $GRADLE_USER_HOME/ setting http(s) proxy.
I tried to modify the gradlew script to add the -Dhttp.proxyHost/Port variables.
I thought that the gradle wrapper could be the issue, so I tried with my local gradle installation, but running gradle build fails very early (within buildSrc).

Few questions for people browsing the forum:
1. Have you ever tried to run the Gradle Tooling API with a Security Manager?
2. If so, do you have a pointer on some documentation listing required permissions please?
3. Do you have a trick to build gradle behind a proxy?

Thank you.

I somewhat managed to build Gradle (from the REL_2.14.1 tag) by disabling integTest (not proud of me).
The patch works.

But, unfortunately, Gradle Tooling API requires so many permissions to start Gradle that it is almost the same as using

Therefore, I think I’ll go with a ProcessBuilder + su [limited_user] -c gradle […]…

Or let the builds run in an isolated container where they can’t cause any harm.

Thank you Stefan for the advice. I do think this is the best solution, provided that you have access to containerization.
Good luck for next releases.